@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/firewall/path-validator.js

@@ -1,256 +0,0 @@
-/**
- * Path Validator
- * 
- * Validates file paths against:
- * - Forbidden paths (secrets, configs, credentials)
- * - Allowed paths (source directories)
- * - Scope violations (writing outside allowed areas)
- * 
- * Uses glob pattern matching for flexible path rules.
- */
-
-"use strict";
-
-const path = require("path");
-
-/**
- * PathValidator class for validating file paths
- */
-class PathValidator {
-  /**
-   * Create a path validator
-   * @param {object} config - Firewall configuration
-   */
-  constructor(config) {
-    this.config = config;
-    
-    // Extract path configuration
-    const paths = config.paths || {};
-    this.forbiddenPaths = paths.forbidden || [];
-    this.allowedPaths = paths.allowed || [];
-    this.enforceAllowList = paths.enforceAllowList || false;
-    
-    // Compile patterns for performance
-    this.forbiddenPatterns = this.forbiddenPaths.map(p => this.compilePattern(p));
-    this.allowedPatterns = this.allowedPaths.map(p => this.compilePattern(p));
-  }
-  
-  /**
-   * Compile a glob pattern to regex
-   * @param {string} pattern - Glob pattern
-   * @returns {RegExp} Compiled regex
-   */
-  compilePattern(pattern) {
-    // Escape special regex characters except glob wildcards
-    let regex = pattern
-      .replace(/[.+^${}()|[\]\\]/g, '\\$&')
-      .replace(/\*\*/g, '{{GLOBSTAR}}')
-      .replace(/\*/g, '[^/]*')
-      .replace(/{{GLOBSTAR}}/g, '.*')
-      .replace(/\?/g, '.');
-    
-    return new RegExp(`^${regex}$`, 'i');
-  }
-  
-  /**
-   * Check if path matches a pattern
-   * @param {string} filePath - Path to check
-   * @param {string} pattern - Glob pattern
-   * @returns {boolean} True if matches
-   */
-  matches(filePath, pattern) {
-    const regex = this.compilePattern(pattern);
-    
-    // Normalize path separators
-    const normalizedPath = filePath.replace(/\\/g, '/');
-    
-    // Check both full path and basename
-    return regex.test(normalizedPath) || regex.test(path.basename(normalizedPath));
-  }
-  
-  /**
-   * Check if path matches any pattern in list
-   * @param {string} filePath - Path to check
-   * @param {string[]} patterns - List of patterns
-   * @returns {string|null} Matching pattern or null
-   */
-  matchesAny(filePath, patterns) {
-    const normalizedPath = filePath.replace(/\\/g, '/');
-    
-    for (const pattern of patterns) {
-      if (this.matches(normalizedPath, pattern)) {
-        return pattern;
-      }
-    }
-    
-    return null;
-  }
-  
-  /**
-   * Validate a file path
-   * @param {object} params - Validation parameters
-   * @param {string} params.action - Action type (write, delete, execute)
-   * @param {string} params.path - File path to validate
-   * @returns {object} Validation result
-   */
-  validate({ action, path: filePath }) {
-    // Skip if no path provided
-    if (!filePath) {
-      return { valid: true };
-    }
-    
-    // Normalize path
-    const normalizedPath = filePath.replace(/\\/g, '/');
-    
-    // Check forbidden paths
-    const forbiddenMatch = this.matchesAny(normalizedPath, this.forbiddenPaths);
-    if (forbiddenMatch) {
-      return {
-        valid: false,
-        rule: "forbidden-path",
-        severity: "critical",
-        message: `Path "${filePath}" matches forbidden pattern "${forbiddenMatch}"`,
-        details: {
-          path: filePath,
-          pattern: forbiddenMatch,
-          reason: this.getForbiddenReason(forbiddenMatch),
-        },
-      };
-    }
-    
-    // Check allowed paths if enforcing allow list
-    if (this.enforceAllowList && this.allowedPaths.length > 0) {
-      const allowedMatch = this.matchesAny(normalizedPath, this.allowedPaths);
-      if (!allowedMatch) {
-        return {
-          valid: false,
-          rule: "scope-violation",
-          severity: "high",
-          message: `Path "${filePath}" is outside allowed scope`,
-          details: {
-            path: filePath,
-            allowedPaths: this.allowedPaths,
-            suggestion: "Add the path to 'paths.allowed' in firewall config or move file to allowed directory",
-          },
-        };
-      }
-    }
-    
-    // Check for sensitive patterns even if not in forbidden list
-    const sensitiveCheck = this.checkSensitivePatterns(normalizedPath);
-    if (sensitiveCheck) {
-      return sensitiveCheck;
-    }
-    
-    return { valid: true };
-  }
-  
-  /**
-   * Get reason why a path is forbidden
-   * @param {string} pattern - Forbidden pattern
-   * @returns {string} Human-readable reason
-   */
-  getForbiddenReason(pattern) {
-    const reasons = {
-      ".env": "Environment files may contain secrets",
-      ".env.*": "Environment files may contain secrets",
-      "*.pem": "Certificate files are sensitive",
-      "*.key": "Private key files are sensitive",
-      "secrets/**": "Secrets directory is protected",
-      ".git/**": "Git internals should not be modified",
-      "package-lock.json": "Lock files should be managed by package manager",
-      "config/production.*": "Production config may contain secrets",
-    };
-    
-    for (const [key, reason] of Object.entries(reasons)) {
-      if (pattern.includes(key) || key.includes(pattern)) {
-        return reason;
-      }
-    }
-    
-    return "Path matches forbidden pattern";
-  }
-  
-  /**
-   * Check for sensitive patterns that might indicate credentials
-   * @param {string} filePath - Path to check
-   * @returns {object|null} Violation if found
-   */
-  checkSensitivePatterns(filePath) {
-    const sensitivePatterns = [
-      { pattern: /credentials?/i, name: "credentials" },
-      { pattern: /secrets?/i, name: "secrets" },
-      { pattern: /password/i, name: "password" },
-      { pattern: /private.*key/i, name: "private-key" },
-      { pattern: /\.pem$/i, name: "certificate" },
-      { pattern: /\.p12$/i, name: "certificate" },
-      { pattern: /\.pfx$/i, name: "certificate" },
-      { pattern: /id_rsa/i, name: "ssh-key" },
-      { pattern: /id_ed25519/i, name: "ssh-key" },
-    ];
-    
-    for (const { pattern, name } of sensitivePatterns) {
-      if (pattern.test(filePath)) {
-        // Check if this is explicitly allowed
-        const isAllowed = this.allowedPaths.some(p => this.matches(filePath, p));
-        if (!isAllowed) {
-          return {
-            valid: false,
-            rule: "sensitive-path",
-            severity: "high",
-            message: `Path "${filePath}" appears to contain sensitive data (${name})`,
-            details: {
-              path: filePath,
-              sensitiveType: name,
-              suggestion: "If this is intentional, add the path to 'paths.allowed' in firewall config",
-            },
-          };
-        }
-      }
-    }
-    
-    return null;
-  }
-  
-  /**
-   * Batch validate multiple paths
-   * @param {string[]} paths - Paths to validate
-   * @returns {object[]} Validation results
-   */
-  validateBatch(paths) {
-    return paths.map(p => ({
-      path: p,
-      ...this.validate({ path: p }),
-    }));
-  }
-  
-  /**
-   * Get all forbidden paths
-   * @returns {string[]} Forbidden paths
-   */
-  getForbiddenPaths() {
-    return [...this.forbiddenPaths];
-  }
-  
-  /**
-   * Get all allowed paths
-   * @returns {string[]} Allowed paths
-   */
-  getAllowedPaths() {
-    return [...this.allowedPaths];
-  }
-  
-  /**
-   * Check if path is in a protected directory
-   * @param {string} filePath - Path to check
-   * @returns {boolean} True if protected
-   */
-  isProtected(filePath) {
-    const result = this.validate({ path: filePath });
-    return !result.valid;
-  }
-}
-
-module.exports = {
-  PathValidator,
-};